Wayfinder Systems Group

Governed XDR, MDR auto-response, and threat-classifier retraining.

The regulatory perimeter inside which AI-driven security operations and continuously-retraining detection now have to operate.

I

Insurance & Reinsurance

Carriers · Reinsurers · Lloyd's · MGAs
II

Commercial Real Estate

CRE lenders · Debt funds · CMBS
III

Autonomous Systems

Defense · Automotive · Aerospace
IV

Lending & Credit

Banks · Non-bank lenders · Fintechs · Credit unions
V

Healthcare AI

Payors · IDNs · SaMD operators · EHR vendors
VI

Fraud / AML

Banks · Payment networks · MSBs · Crypto platforms
VII

Agentic AI

Enterprise agent platforms · Open-source frameworks
VIII
Viewing

Cybersecurity / MDR

SOAR · XDR / EDR · MDR · Red-team
  • 01AI-driven security operations (auto-isolate endpoints, auto-revoke credentials, auto-quarantine accounts, classifier-driven detection) increasingly operate outside human-in-the-loop review. SOC 2 for AI evidence schemes and the NIST AI RMF (GOVERN / MAP / MEASURE / MANAGE) establish what an auditable security-AI control looks like. ISO/IEC 42001 specifies the underlying AI management system.
  • 02EU AI Act Article 9 (risk management) and Article 12 (record-keeping) classify high-risk security AI (threat detection, biometric access, critical-infrastructure protection) as requiring documented risk management, automatic record-keeping, human oversight, and regulator-readable audit trails. Standalone systems are due 2 December 2027; embedded systems (XDR, EDR, MDR platforms) 2 August 2028 under Omnibus VII.
  • 03MITRE ATLAS (Adversarial Threat Landscape for AI Systems) provides the event taxonomy for documenting adversarial ML attacks (model poisoning, evasion, extraction) on production security AI. CMMC 2.0 Level 3 brings continuous AI-controls attestation into DoD-contractor certification, phasing through 2026 and beyond. CISA Secure-by-Design self-attestation extends the same posture to non-defense critical-infrastructure operators.
  • 04SEC Item 106 of Regulation S-K (in force December 2023) requires four-business-day disclosure of material cybersecurity incidents on Form 8-K, plus annual disclosure of governance and risk-management processes including AI-driven controls. The four-day clock is unforgiving when the decision graph that produced the response is not reproducible.
  • 05The per-decision audit record satisfies all of the above on one chain. For inference-time decisions: the action recommended, the envelope facets evaluated, the constraint scale applied (continuous, not binary allow / deny), the model attribution at the moment of the act, and the position in the per-tenant hash chain. For continuously-retraining classifiers: three independent divergence axes (behavioral, parameter, temporal) measured before the weights persist, with graduated response (constrain, freeze, rollback) signed onto the chain. Multi-tenant isolation native; zero customer-telemetry boundary.
Regulatory pressure · Live

The cybersecurity-AI regulatory surface, by the calendar.

Every framework below is enforceable today or about to be. Velma evidence is the format both sides expect.

2
Upcoming
1
Live · examinable

Open deadlines

2 approaching

Sorted by soonest deadline first.

Countdown · notable
187days to enforcement
Effective Dec 16, 2026
Last synced ...
United States. Department of Defense

CMMC 2.0: Cybersecurity Maturity Model Certification

CMMC 2.0 Level 3 phasing

DoD contractors handling Controlled Unclassified Information must achieve Level 3 certification, with continuous monitoring and per-decision evidence for any AI-driven security controls in the boundary.

Phased rollout from final rule (16 Dec 2024). Roughly 80,000 contractors affected. AI-controls evidence is becoming the binding constraint for primes and their subs.

Countdown · critical
538days to enforcement
Effective Dec 02, 2027
Last synced ...
European Union

EU AI Act: Article 9 + Article 12 for high-risk security AI

EU AI Act (deferred)

Threat-detection, biometric-access, and critical-infrastructure security AI classified high-risk must ship with documented risk management, automatic record-keeping, human oversight, and regulator-readable audit trails.

Standalone systems 2 Dec 2027; embedded systems (XDR / EDR / MDR platforms) 2 Aug 2028 under Omnibus VII. Fines up to 7% of global turnover. The audit-format gap is the per-decision record runtime governance closes.

Already in force

1 examinable

The examiner can cite any of these on first request.

Live · examinable
906days examinable
Effective Dec 18, 2023
Last synced ...
United States. SEC

Item 106 of Regulation S-K: Cybersecurity Disclosure

SEC Cybersecurity Disclosure

Public companies must disclose material cybersecurity incidents within four business days on Form 8-K, with annual disclosure of governance and risk-management processes including AI-driven security controls.

In force. The four-day clock is unforgiving when the decision graph that produced the response is not reproducible. Audit-chain governance closes the materiality-attribution gap.

The governance pipeline

Five stages. The evidence artifact. Sealed forecasts at horizon. Isometric DFD-0.

Open

White papers · AAG · ALG · ERI

Formal safety models, ODD, assurance cases, reviewer briefs.

Open

Mission, values, founder

How we are set up and why the trust structure matters.

Open

30 minutes. Architecture, not sales

Direct line to the inventor. No demo, no deck.

Open

Start with a conversation.

Thirty minutes. Architecture, not sales. On the regulatory surface you already know.

Book a 30-minute callReturn home